extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 16:13:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Replace TC_ENABLED with TC_SCRIPT

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2829 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-07 22:16:03 +00:00
parent c3e0778e5f
commit d680528283
4 changed files with 90 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 2.5.9
1) Add TC_SCRIPT
Changes in 2.5.8 Changes in 2.5.8
1) Fix 'shorewall refresh' with long tcrules entries. 1) Fix 'shorewall refresh' with long tcrules entries.

23
Shorewall/firewall
View File

@ -3703,16 +3703,12 @@ setup_tc1() {
run_iptables -t mangle -A FORWARD -j tcfor run_iptables -t mangle -A FORWARD -j tcfor
run_iptables -t mangle -A POSTROUTING -j tcpost run_iptables -t mangle -A POSTROUTING -j tcpost
f=$(find_file tcstart) if [ -n "$TC_SCRIPT" ]; then
if [ -f $f ]; then run_user_exit $TC_SCRIPT
run_user_exit tcstart
f=$(find_file tcstart) # In case the script used this variable
save_progress_message "Restoring Traffic Control..." save_progress_message "Restoring Traffic Control..."
save_command . $f save_command . $TC_SCRIPT
else else
setup_traffic_shaping setup_traffic_shaping
fi fi
@ -4133,8 +4129,8 @@ refresh_tc() {
setup_tc1 setup_tc1
fi fi
if [ -n "$TC_ENABLED" ]; then if [ -n "$TC_SCRIPT" ]; then
run_user_exit tcstart run_user_exit $TC_SCRIPT
else else
setup_traffic_shaping setup_traffic_shaping
fi fi
@ -9171,7 +9167,7 @@ do_initialize() {
LOGLIMIT= LOGLIMIT=
ADD_IP_ALIASES= ADD_IP_ALIASES=
ADD_SNAT_ALIASES= ADD_SNAT_ALIASES=
TC_ENABLED= TC_SCRIPT=
BLACKLIST_DISPOSITION= BLACKLIST_DISPOSITION=
BLACKLIST_LOGLEVEL= BLACKLIST_LOGLEVEL=
CLAMPMSS= CLAMPMSS=
@ -9295,7 +9291,6 @@ do_initialize() {
[ -n "$ALLOWRELATED" ] || \ [ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported" startup_error "ALLOWRELATED=No is not supported"
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
TC_ENABLED="$(added_param_value_yes TC_ENABLED $TC_ENABLED)"
if [ -n "${LOGRATE}${LOGBURST}" ]; then if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGLIMIT="--match limit" LOGLIMIT="--match limit"
@ -9421,6 +9416,12 @@ do_initialize() {
;; ;;
esac esac
if [ -n "$TC_SCRIPT" ] ; then
f="$TC_SCRIPT"
TC_SCRIPT=$(find_file $TC_SCRIPT)
[ -f $TC_SCRIPT ] || startup_error "Unable to find TC_SCRIPT file ($f)"
fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
# #

92
Shorewall/releasenotes.txt
View File

@ -1,24 +1,16 @@
Shorewall 2.5.8. Shorewall 2.5.9.
Problems Corrected in 2.5.8: Problems Corrected in 2.5.9:
1) "shorewall refresh" will fail if there are entries in New Features in 2.5.9:
/etc/shorewall/tcrules with non-empty USER/GROUP or TEST columns.
New Features in 2.5.8: 1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the
option is not set then the internal shaper (tc4shorewall by Arne
Bernin) is used. Otherwise, the script named in the variable is
used.
1) Normally MAC verification triggered by the 'maclist' interface and host Users who currently use an /etc/shorewall/tcstart file should set
options is done out of the INPUT and FORWARD chains of the filter table. TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf.
Users have reported that under some circumstances, MAC verification is
failing for forwarded packets when the packets are being forwarded out
of a bridge.
To work around this problem, a MACLIST_TABLE option has been added to
shorewall.conf. The default value is MACLIST_TABLE=filter which results
in the current behavior. If MACLIST_TABLE=mangle then filtering will
take place out of the PREROUTING chain of the mangle table. Because
the REJECT target may not be used in the PREROUTING chain, the settings
MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible.
Migration Considerations: Migration Considerations:
@ -61,6 +53,14 @@ Migration Considerations:
and a comma-separated list of the parent and a comma-separated list of the parent
zones. The parent zones must have been defined zones. The parent zones must have been defined
in earlier records in this file. in earlier records in this file.
1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the
option is not set then the internal shaper (tc4shorewall by Arne
Bernin) is used. Otherwise, the script named in the variable is
used.
Users who currently use an /etc/shorewall/tcstart file should set
TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf.
Example: Example:
@ -89,7 +89,15 @@ Migration Considerations:
exactly one 'firewall' zone. No options are exactly one 'firewall' zone. No options are
permitted with a 'firewall' zone. permitted with a 'firewall' zone.
OPTIONS, A comma-separated list of options as OPTIONS, A comma-separated list of options as1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the
option is not set then the internal shaper (tc4shorewall by Arne
Bernin) is used. Otherwise, the script named in the variable is
used.
Users who currently use an /etc/shorewall/tcstart file should set
TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf.
IN OPTIONS, follows: IN OPTIONS, follows:
OUT OPTIONS OUT OPTIONS
reqid=<number> where <number> is reqid=<number> where <number> is
@ -115,7 +123,15 @@ Migration Considerations:
available with mode=tunnel) available with mode=tunnel)
strict Means that packets must match strict Means that packets must ma1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the
option is not set then the internal shaper (tc4shorewall by Arne
Bernin) is used. Otherwise, the script named in the variable is
used.
Users who currently use an /etc/shorewall/tcstart file should set
TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf.
tch
all rules. all rules.
@ -160,7 +176,15 @@ Migration Considerations:
it is not set (such as if you are using your old shorewall.conf it is not set (such as if you are using your old shorewall.conf
file) then Shorewall will perform the substitution. Once you have file) then Shorewall will perform the substitution. Once you have
converted to use the new macros, you can set MAPOLDACTIONS=No and converted to use the new macros, you can set MAPOLDACTIONS=No and
invocations of those actions will go much quicker during 'shorewall invocations of those actions will go much quicker during 'shore1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the
option is not set then the internal shaper (tc4shorewall by Arne
Bernin) is used. Otherwise, the script named in the variable is
used.
Users who currently use an /etc/shorewall/tcstart file should set
TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf.
wall
[re]start'. [re]start'.
6) The STATEDIR variable in /etc/shorewall/shorewall.conf has been 6) The STATEDIR variable in /etc/shorewall/shorewall.conf has been
@ -211,13 +235,14 @@ Migration Considerations:
Note that the rule is added at the front of the NEW section of the Note that the rule is added at the front of the NEW section of the
rules file. rules file.
11) The meaning of TC_ENABLED has been changed to coincide with the 11) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the
integration of tc4shorewall. Beginning with this release, option is not set then the internal shaper (tc4shorewall by Arne
the /etc/shorewall/tcrules file will be processed unconditionally Bernin) is used. Otherwise, the script named in the variable is
(assuming that your kernel and iptables have Packet Mangling support). used.
TC_ENABLED=Yes will cause Shorewall to look for an external tcstart
script as it does today. TC_ENABLED=No will cause Shorewall to use Users who currently use an /etc/shorewall/tcstart file and wish to
its internal traffic shaper (tc4shorewall). continue to do so should set
TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf.
New Features in Shorewall 2.5.* New Features in Shorewall 2.5.*
@ -564,4 +589,17 @@ New Features in Shorewall 2.5.*
ipp2p:all Matches both UDP and TCP traffic. You may ipp2p:all Matches both UDP and TCP traffic. You may
not specify a SOURCE PORT with this PROTOCOL. not specify a SOURCE PORT with this PROTOCOL.
28) Normally MAC verification triggered by the 'maclist' interface and host
options is done out of the INPUT and FORWARD chains of the filter table.
Users have reported that under some circumstances, MAC verification is
failing for forwarded packets when the packets are being forwarded out
of a bridge.
To work around this problem, a MACLIST_TABLE option has been added to
shorewall.conf. The default value is MACLIST_TABLE=filter which results
in the current behavior. If MACLIST_TABLE=mangle then filtering will
take place out of the PREROUTING chain of the mangle table. Because
the REJECT target may not be used in the PREROUTING chain, the settings
MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible.

15
Shorewall/shorewall.conf
View File

@ -394,15 +394,18 @@ ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No RETAIN_ALIASES=No
# #
# ENABLE TRAFFIC SHAPING # ENABLE EXTERNAL TRAFFIC SHAPER
# #
# If you say "Yes" or "yes" here, Shorewall will look for an executable script # If you wish for Shorewall to run an external traffic shaping script such as
# in the CONFIG_PATH to execute to configure traffic shaping. # WonderShaper then set TC_SCRIPT to the file name of that script.
# If you say "No" or "no" then Shorewall will use it's internal traffic shaper #
# "tc4shorewall" by Arne Bernin. # Example: TC_SCRIPT=/etc/shorewall/tcstart
#
# If you leave the option empty then Shorewall will use its internal traffic
# shaper "tc4shorewall" by Arne Bernin.
# #
TC_ENABLED=No TC_SCRIPT=
# #
# Clear Traffic Shapping/Control # Clear Traffic Shapping/Control